So by now anyone with access to an internet connected device has heard the spine chilling term “Heartbleed”, which in it’s own right is a pretty shocking discovery. However when you pile on the media whirlwind that accompanied it, you now have a lot of scared internet users who are unsure if they are safe to venture back on-line.
When heartbleed was announced and started circulating the internet news sites, I started getting phone calls and text messages from pretty much everyone on my phones contact list and strangely enough, from a few who weren’t.
So let’s give an overview of what this is, what happened, what is happening and what you should be doing.
So what is OpenSSL?
OpenSSL is an Open-Source version of the common SSL(Secure Socket Layer) and TLS(Transport Layer Security). To give a basic explanation of what this does, SSL/OpenSSL is used to provide a secure & encrypted connection between two internet connected devices. The most common usage of this you would see is when you make online purchases, online banking, logging in to your social media accounts or email. It provides a secure channel between client and server for any data that needs to be kept away from prying eyes, most commonly login credentials and banking details.
Who uses OpenSSL?
OpenSSL is used by a wide variety of high profile websites such as:
- Youtube
- Yahoo
- Gmail
- Netflix
- GoDaddy Hosting
- Etsy
This is just to name a few of the high profile websites that are using OpenSSL and in turn were impacted by the latest heartbleed discovery.
What is heartbleed?
Heartbleed is a buffer over-read vulnerability within the Heartbeat Extension of OpenSSL.
So what does this mean to the average web user? It means that an attacker would be able to access session data, login credentials and other information that ideally is best kept private.
Even though the Heartbleed vulnerability was only discovered in a research environment, OpenSSL has been vulnerable to this type of attack for a lot longer. That being said there has been no evidence put forward yet to show that this vulnerability was exploited in the wild prior to the vulnerability report on April 1st.
Who discovered it?
The credit for the discovery is still up for debate.
Google:
Neel Mehta of Google’s Security Team reported the discovery on April 1st 2014 with a patch that was developed on March 21st by Bodo Moeller and Adam Langley of Google. There is an interesting story over on rt.com which discusses that google kept the discovery under lock and key from the US Government. Then on April 11th the NSA were accused of using heartbleed over the past 2 years to intercept data, to which the NSA says it had no knowledge of the vulnerability.
Codenomicon
A secondary report was filed by Codenomicon on April 3rd 2014, who coined the term “heartbleed”, gave it a logo and lashed up a website to get the word out.
NSA:
It has apparently been confirmed by two unnamed sources that the NSA has been exploiting the heartbleed vulnerability since it was “accidentally” introduce to the OpenSSL code base back in 2012. Information has come to light in the documents leaked by NSA whistle blower Edward Snowden that discusses Project BULLRUN, part of which focuses on underminding SSL Technology. There is a complete write up on this over on Wired.com.
However as stated by the rt.com article linked to above, the NSA has since released a statement denying any knowledge of Heartbleed. I will leave it up to the readers to determine how much faith you put in that statement.
So what happened after the discovery?
After the April 1st report was filed for Heartbleed, it wasn’t till April 7th when the official announcement was made.
When the heartbleed vulnerability was made public, a patch for the problem was released at the exact same time. Most of the larger sites patched their implementations of OpenSSL before the April 7th announcement, a further number within the first 24hours, then pretty much everyone else within a few days.
So “assuming” this vulnerability wasn’t in use in the wild, prior to its April 1st report, attackers would have only had a window of a few hours to a few days to exploit vulnerable instances of OpenSSL.
This was a very important discovery and “potentially” one of the most dangerous vulnerabilities since the birth of the World Wide Web. However, how it was reported through most news media was that every bodies passwords had been stolen, run and hide!! Even the founder of the Tor Network told people to just flat out stay offline. Everybody needed to take a deep breath for a second and take a look at what was happening, before jumping on the panic bandwagon.
Was any data compromised by Heartbleed?
The short answer, yes. From current reports it looks like the first reported attack was on April 8th which was the Canada Revenue Agency. There has been a number of failed attack attempts also.
So what should you do?
if you want to take the better safe than sorry approach, simply updated your passwords. However I will take this moment to say, it is good practice to have a password cycle date anyway. That could be every 6 months or even once a year, you should change all your passwords up.
There is a hit list of sites that were potentially impacted by Heartbleed over on Mashable.com
And more importantly, was Boom22 impacted by Heartbleed?
You’ll be delighted to know that Boom22 and it’s clients were not impacted in anyway by the recent Heartbleed discovery.
We continue to be awesome for our clients!
The post Heartbeat, Heartbleed & Boom22 appeared first on Boom 22 - Web Site Developer iPhone Android App Developer SEO Search engine optimisation providers Sandyford, Blackrock, Dublin, Ireland.